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We (re)define session types as projections of process behaviors with respect to the communication 
channels they use. In this setting, we give session types a semantics based on fair testing. The 
outcome is a unified theory of behavioral types that shares common aspects with conversation types 
and that encompass features of both dyadic and multi-party session types. The point of view we 
provide sheds light on the nature of session types and gives us a chance to reason about them in a 
framework where every notion, from well-typedness to the subtyping relation between session types, 
is semantically - rather than syntactically - grounded. 

1 Introduction 

The leitmotif in the flourishing literature on session types lfl4l [T5l Uol is to associate every communi- 
cation channel with a type that constraints how a process can use that channel. In this paper we take 
the opposite perspective: we define the session type associated with a channel as the projection of the 
behavior of the processes restricted to how that channel is used by them. As expected, this approach 
requires a language of session types that is more general than the ones we usually encounter in other 
works. But - this is in summary the contribution of this work - the language we come up with is just 
a minor variation of well-known value-passing process algebras that can be semantically characterized 
using well-known concepts and techniques. 

To get acquainted with our approach, let us consider the following example written in 7i-calculus like 
language and which is a slightly simplified variant of the motivating example in |[T6l : 

Seller = aT(x).xl (title : String) .x\price (title). xl(addr : Address). xldate (title) 
Buyerl = (vc)a!c.c!"The Origin of Species". c?(price : Int). (v 'd)b\d. dlprice / '2. d\c 
Buyer2 = bl(y).yl(contrib : Int). y1(z).z\address.z1(d : Date) 

Here we have two buyers that collaborate with each other in order to complete a transaction with a 
seller. Buyerl creates a local channel c that it sends to Seller through the public channel a. The channel 
c is normally dubbed session: it is a fresh channel shared by Buyerl and Seller on which the two can 
communicate privately. On c, Buyerl sends to the Seller the name of a book, and Seller answers with its 
price. At this stage Buyerl asks for the collaboration of Buyer2: it creates another fresh channel d which 
it communicates to Buyer2 by means of the public channel b, it sends Buyer2 the amount of money 
Buyer2 should contribute, and finally it delegates the private channel c to Buyer2, so that Buyer2 can 
complete the transaction with the Seller. This implies sending the Seller a delivery address and receiving 
the estimated delivery date. 

Let us focus on the public channels a and b: the former is used by Buyerl for sending a channel 
of some type, say T7, and is used by Seller for receiving a channel of the same type. In our approach 
we say that the type of a is ?7].l | !t].1, where ?tj.1 is the projected behavior of Seller on a, Irj.l is the 
projected behavior of Buyerl on a, and | denotes the composition of these two behaviors. In a similar 
way, b is used by Buyerl and Buyer2 and has type \d.l | 18.1, assuming that the channel exchanged 
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between Buyerl and Buyer2 has type 0. Channel c is more interesting: it is created by Buyerl, which 
uses it according to the type !String.?Int. However, c is delegated to Seller right after its creation, and 
to Buyer2 when Buyerl has finished using it. So, the true type of c is 7] | ! String. ?Int.p where rj is 
the projection of Seller's behavior with respect to the channel c (after it has been received by Seller), 
and p is the projection of Buyer2's behavior with respect to the same channel after it has been received 
by Buyer2. By similar arguments, one can see that the type of d is 6 | !lnt.!p.l and the mentioned 
types Tj, 6, and p are defined as ?String.!lnt.?Address.!Date.l, ?Int.?p.l, and !Address.?Date.l, 
respectively. If we were to depict the projection we have operated for typing the channels in the example, 
we could summarize it as follows: 

Seller Buyerl Buyer2 

, * * 

a: ?T].l 

b: 

c: ?String.!lnt.?Address.!Date.l 

d: 

Can we tell whether the system composed of Seller and the two buyers "behaves well"? Although at 
this stage we have not given a formal semantics to session types, by looking at the types for the various 
channels involved in the example we can argue that they all eventually "reduce" to a parallel composition 
of l's. If we read the type 1 as the fact that a process stops using a channel with that type, this roughly 
indicates that all the conversations initiated in the example eventually terminate successfully. 

The projection we have operated abstracts away from the temporal dependencies between communi- 
cations occurring on different channels. This is a well-known source of problems if one is interested in 
global progress properties. In our approach, and unlike other presentations of session types, we do not 
even try to impose any linearity constraint on the channels being used, nor do we use polarities ifTTI or 
indexes lfl6l [TTl for distinguishing different roles. For example, the process Buyerl keeps using channel c 
after it has been delegated, and it delegates the channel once more before terminating. As a consequence, 
the projection we operate may not even capture the temporal dependencies between communications oc- 
curring on the same channel. This can happen if two distinct free variables are instantiated with the same 
channel during some execution. Thus, we must impose additional constraints on processes only to ensure 
the type preservation property. Interestingly, we will see that these additional constraints are similar to 
those used for ensuring global progress |9l[l][3]]. 

We can identify three main contributions of this work: (1) we show that session types can be naturally 
generalized to an algebraic language of processes that closely resembles value-passing CCS; (2) as a 
consequence, we are able to work on session types reusing a vast toolkit of known results and techniques; 
in particular, we are able to semantically justify the fundamental concepts (duality, well-typedness, the 
subtyping relation) that are axiomatically or syntactically presented in other theories; (3) we provide 
a unified framework of behavioral types that encompasses features not only of dyadic and multi-party 
session types, but also of conversation types Q. 

Structure of the paper. In Section |2] we define session types as a proper process algebra equipped 
with a labeled transition system and a testing semantics based on fair testing. This will immediately 
provide us with a semantically justified equivalence relation - actually, a pre-order - to reason about safe 
replacement of channels and well-behaving systems. In Section|3]we formally define a process language 
that is a minor variant of the 7r-calculus without any explicit construct that is dedicated to session-oriented 
interaction. We will show how to type processes in this language and illustrate the main features of the 
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type system with several examples. Finally, we will state the main properties (type preservation and local 
progress) of our typing relation. Section|4]concludes. 

Related work. Theories of dyadic session types can be traced back to the works of Honda lfl4l and 
Honda et al. Ifl5l . Since then, the application of session types has been extended to functional lan- 
guages [20, 12] and object-oriented languages (see iPTOl l8l for just a few examples). A major line of 
research is the one dealing with so-called multi-party session types, those describing sessions where 
multiple participants interact simultaneously IIT61 IT1. An in depth study of a subtyping relation for ses- 
sion types can be found in [11], while [19] provides an incremental tutorial presentation of the most 
relevant features of dyadic session types. 

Conversation types [2] are a recently introduced formalism that aims at generalizing session types 
for the description of the behavior of processes that interact within and across the scope of structurally 
organized communications called conversations. Conversation types are very similar to the language of 
session types we propose here, for example they embed a parallel composition operator for representing 
the composed behavior of several processes simultaneously accessing a conversation. The difference 
with our approach mainly resides in the semantics of types: we treat session types as terms of a proper 
process algebra with a proper transition relation and all the relevant notions on types originate from here. 
In Q, the semantics of conversation types is given in terms of syntactically-defined notions of subtyping 
and merging. Also, (H uses a process language that incorporates explicit constructs for dealing with 
conversations, while we emphasize the idea of projected behavior by working with the naked 7T-calculus. 

Elsewhere [3] we have been advocating the use of a testing approach in order to semantically justify 
session types. Unlike [3|, here we disallow branch selection depending on the type of channels. This 
reduces the expressiveness of types for the sake of a simplification of the technicalities in the resulting 
theory. Another difference is that in the present paper we adopt a. fair testing approach lfl8l . 

Finally, it should be mentioned that the use of processes as types has already been proposed in the 
past, for example in O [lVl . In particular, iTTTl uses a language close to value-passing CCS for defining 
an effect system for Concurrent ML. 

2 Syntax and semantics of session types 

Let us fix some conventions: r\,Q,p, .. .range over session types; a, . . .range over actions; t,s, .. .range 
over types; v, . . . range over an unspecified set Y of basic values; B, . . . range over an unspecified set of 
basic types such as Int, Bool, String, and so on. The syntax of session types is defined by the grammar 
in Table Q] Types represent sets of related values: is the empty type, the one inhabited by no value; 
basic types are arbitrary subsets of "V; for every v G "V we write v for the singleton type whose only value 
is v itself. We will write v : t to state that v inhabits type t and we will sometimes say that v is of type t. 

Actions represent input/output operations on a channel. An action \t represents the sending of an 
arbitrary value of type t; an action It represents the receiving of an arbitrary value of type t; actions !t] 
and ?T] are similar but they respectively represent the sending and receiving of a channel of type tj . 

Although session types are used to classify channels, they describe the behavior of processes using 
those channels. Consistently with this observation, we will often present session types as characterizing 
processes rather than channels. In the explanation that follows, it is useful to keep in mind that, when a 
process uses a channel according to some protocol described by a session type, it expects to interact with 
other processes that use the same channel according to other protocols. For a communication to occur, 
the process must perform an action on the channel (say, sending a value of some type), and another 
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Table 1 : Syntax of session types. 
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(success) 
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(value output) 
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(action prefix) 


1 ?*? 


(channel input) 


B 


(basic type) 


n+n 


(external choice) 


1 !t? 


(delegation) 






1 J)©') 


(internal choice) 










^7 1 


(composition) 











process must perform the corresponding co-action (say, receiving a value of the same type). The session 
type classifies a channel on which a communication error has occurred. No correct system should ever 
involve channels typed by 0, and we will see that it is useful to have an explicit term denoting a static 
error. The session type 1 describes a process that performs no further action on a channel. The session 
type a.f] describes a process that performs the action a, and then behaves according to the protocol rj. 
The session type rj + 8 is the external choice of rj and 6 and describes a process that offers interacting 
processes to behave according to one of the branches. Dually, the session type T7 © 6 is the internal 
choice of rj and 8 and describes a process that internally decides to behave according to one of the 
branches. The session type rj \ 6 describes the simultaneous access to a shared channel by two processes 
behaving according to 77 and 00 If we have n processes sharing a common channel and each process 
behaves according to some protocol tj,, then T]i | • • • | r\ n describes the overall protocol implemented by 
the processes on the channel. 

We do not rely on any explicit syntax for describing recursive behaviors. We borrow the technique 
already used in [3 ] and define the set of session types as the set of possibly infinite syntax trees generated 
by the productions of the grammar in Table Q] that satisfy the following conditions: 

1. the tree must contain a finite number of different subtrees; 

2. on every infinite branch of the tree there must be infinite occunences of the action prefix operator; 

3. the tree must contain a finite number of occurrences of the parallel composition operator. 

The first condition is a standard regularity condition imposing that the tree must be a regular tree 10. 
The second one is a contractivity condition ruling out meaningless regular trees such as those generated 
by the equations X=X+XorX=X(BX. Finally, it can be shown that the last condition enforces that 
the protocol described by a session type is "finite state". 

To familiarize with session types consider the following two examples: 

?Int. !String.l + ?Bool. !Real.l 

describes a process that waits for either an integer number or a Boolean value. If the process receives 
an integer number, it sends a string; if the process receives a Boolean value, it sends a real number. 
After that, in either case, the process stops using the channel. Instead, the session type llnt.l © !Bool.l 
describes a process that internally decides whether to send an integer or a Boolean value. 

It may seem that the syntax of session types is overly generic, and that external choices make sense 
only when they are guarded by input actions and internal choices make sense only when they are guarded 

1 We use the word "shared" to highlight the fact that two (or more) processes simultaneously act on the same channel. This 
should not be confused with the terminology used in different session type theories, where "shared channels" are publicly 
known channels on which sessions are initiated. 
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Table 2: Transitions of session types. 
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by output actions. As a matter of facts, this is a common restriction in standard session type presentations. 
In our approach, this generality is actually necessary: a session type tj = llnt.l | !Bool.l describes two 
processes trying to simultaneously send an integer and a Boolean value on the same channel. A process 
interacting with these two parties is allowed to read both values in either order, since both are available. 
In other words, the session type tj is equivalent to !lnt.!Bool.l + !Bool. llnt.l, that is the interleaving 
of the actions in tj. Had we expanded tj to !lnt.!Bool.l © !Bool. llnt.l instead, no interacting process 
would be able to decide which value, the integer or the Boolean value, to read first. The ability to 
express parallel composition in terms of choices is well studied in process algebra communities where it 
goes under the name of expansion law [71 [131. This ability is fundamental in order to define complete 
proof systems and algorithms for deciding equivalences. Decidability issues aside, we envision two more 
reasons why this generality is appealing: first, it allows us to express the typing rules (Section [3]) in a 
more compositional way, which is particularly important in our approach where we aim at capturing full, 
unconstrained process behaviors; second, it clearly separates communications (represented by actions) 
from choices, thus yielding a clean, algebraic type language with orthogonal features. 

We equip session types with an operational semantics that mimics the actions performed by processes 
behaving according to these types. The labeled transition system of session types is defined by the 
rules in Table |2]plus the obvious symmetric rules of those concerning choices and parallel composition. 
Transitions make use of labels ranged over by ju, . . . and generated by the grammar: 

H ::= S | ?v | !v | ?tj | It7 

Strictly speaking, the transition system is defined by two relations: a labeled one -^-> describing 
external, visible actions and an unlabeled one — > describing internal, invisible actions. Thus, the tran- 
sition system is an extension of the one of CCS without t's Q to a value-passing calculus. Rule (Rl) 
states that the session type 1 emits a single action / denoting successful termination of the protocol, and 
reduces to itself. By rule (R2), the session type tj © 8 can perform an internal transition to either tj or d. 
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Rules (r3) and (r4) deal with output actions. The session type !v.T7 emits the value v and reduces to 77. 
Similarly, \p.rj emits a signal !p (the output of a channel of type p). Rule (r5) is the dual of rule (r4) 
and states that ?p .T/ emits a signal ?p (the input of a channel of type p). Rule (r6) states that a process 
behaving according to \t.rj internally chooses a value v of type t to send, and once has committed to such 
a value it reduces to !v.T7. Rule (r7) is the dual of rule (R3), but because of rule (r6) observe that a 
process behaving according to \t.rj commits to sending one particular value of type t, whereas a process 
behaving according to It.rj is able to receive any value of type t. Rule (r8) states that + is indeed an 
external choice, thus internal choices in either branch do not preempt the other branch. This is a typical 
reduction rule for those languages with two different choices, such as CCS without t's 0. Rules (r9) 
and (RlO) state obvious reductions for external choices, which offer any action that is offered in either 
branch, and parallel compositions, which allow either component to internally evolve independently. 
Rule (R 1 1 ) states that any action other than / is offered by a parallel composition whenever it is offered 
by one of the components; rule (Rl2) states that a parallel composition has successfully terminated only 
if both components have; rule (Rl3) states the obvious synchronization between components offering 
dual actions. Rule (Rl4) states that a process sending a channel of type p can synchronize with another 
process willing to receive a channel of type p', but only if p -< p'. Here ^ is a subtyping relation meaning 
that any channel of type p can be used where a channel of type p' is expected. We shall formally define 
-< in a moment; for the time being we must content ourselves with this intuition. Rule (Rl5) states that 
if the relation p ■< p' is not satisfied, the synchronization occurs nonetheless, but it yields an error. 

Before we move on to the subtyping relation for session types, we should point out a fundamental 
design decision that relates communication and external choices. On the one hand, values other than 
channels may drive the selection of the branch in external choices. For example, we have ?Int.7] + 

?Bool.0 — ► r\ while ?Int.T7 + ?Bool.0 > 9. The type of the value determines the branch, and 

this feature allows us to model the label-driven branch selection that is found in standard session types 
theories. On the other hand, the last two rules in Table[2]show that branch selection cannot be affected by 

the type of the channel being communicated. It is true that ?p.Tj +?p .6 ——>■ r\ and ?p.T7 +?p .6 - — > 9, 
but when we compose ?p.T7 +?p'.9 with lp".d' either reduction is possible, and the residual may or 
may not be depending on the relation between p, p', and p": 

p"±p P"iip 

?p.T] + ip'.e 1 \p".e' — ► r\ 1 e' ?p.T] + ip'.e | \p".e' — ► o 

To be sure that the residual is not 0, it must be the case that p" X p and p" ^ p'. In summary, we 
do not allow dynamic dispatching according to the type of a channel, namely all channels are treated as 
if they had the same type. This is not the only possible choice (see Q for an alternative), but is one that 
simplifies the theory. 

In the following we adopt standard conventions regarding the transition relations: we write =>- for 
the reflexive, transitive closure of — we write rj -^-> (respectively, rj ==>) if there exists 9 such that 
rj 9 (respectively, rj ==$■ 9); we write —■«-►, =4fc> for the usual negated relations; for example, 
rj means that tj does not perform internal transitions. 

The first semantic characterization we give is that of complete session type, namely a session type 
that can always reach a successful state, no matter of its internal transitions. 

Definition 2.1 (completeness). We say that 77 is complete if rj =>- rj' implies rj' ==>-. 

Intuitively, a complete protocol is one implemented by processes which can always terminate suc- 
cessfully their interaction, without the help of any other process. Observe, as a side note, that complete- 
ness implies that no evolution of the system may yield an error or lead to a state where one process insists 
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on sending a message that no interacting party is willing to accept. 1 is the simplest complete session 
type; the session types ?T].l | Itj.1 and tj | !String.?Int.p we have seen in the introduction are also com- 
plete, since every maximal transition leads to a successfully terminated state. The simplest example of 
incomplete session type is 0, another example being ?Int.l | lReal.1 because of the maximal reduction 
?Int.l | lReal.1 — ► ?Int.l | If we take tj as the solution of the equation X = ?Int.X and 

6 as the solution of the equation Y = llnt.y we have that tj | 6 is not complete, despite it never reaches 
a deadlock state. In this sense the notion of completeness embeds a. fairness principle that is typically 
found in fair testing theories |[T8l . 

Completeness is the one notion that drives the rest of the theory. We define the subtyping relation for 
session types, which we call subsession, as the relation that preserves completeness: tj is "smaller than" 
6 if every session type that completes tj completes 6 as well. 

Definition 2.2 (subsession). We say that tj is a subsession of 6, notation tj ^ 6, if tj | p complete implies 
6 | p complete for every p. We write as for the equivalence relation induced by namely = ^ n K 

In other words, we are defining an equivalence relation for session types based on (fair) testing lfl8l : 
we use completeness as the notion of test, and we say that two session types are equivalent if they pass 
the same tests. As a consequence, the equational theory generated by this definition is not immediately 
obvious, although a few relations are easy to check: for example, +, ffi, and | are commutative, associa- 
tive operators; is neutral for + and 1 is neutral for | ; furthermore tj © d -< tj . Namely, it is safe to use a 
channel with type tj © 6 where another one of type tj is expected. If the safety property mentioned here 
seems hard to grasp, one should resort to the intuition that the "type" of a channel actually is the behavior 
of a process communicating on that channel. A process that expects to receive a channel with type tj will 
behave on that channel according to tj; if we send that process a channel with type tj © 6, the receiving 
process will still behave according to tj, which is a more deterministic behavior than tj © 6, hence no 
problem may arise. As a special case of reduction of nondeterminism, we have !Real.Tj X llnt.Tj as- 
suming that Int is a subtype of Real. Other useful relations are those concerning failed processes: we 
have « a.O and !0.tj ?C.tj 0. More generally, the relation tj w means that there is no session type 
8 such that tj | 6 is complete: tj is intrinsically flawed and cannot be remedied. The class of non-flawed 
session types will be of primary importance in the following, to the point that we reserve them a name. 

Definition 2.3 (viability). We say that tj is viable if tj | p is complete for some p. 

Remark 2.1. At this stage we can appreciate the fact that subsession depends on the transition relation, 
and that the transition relation depends on subsession. This circularity can be broken by stratifying the 
definitions: a session type tj is given weight if it contains no prefix of the form ?p or !p; a session type 
tj is given weight n > if any session type p in any prefix of the form ?p or !p occurring in tj has weight 
at most n— 1. By means of this stratification, one can see that the definitions of the transition relation 
and of subsession are well founded. ■ 

It is fairly easy to see that < is a precongruence with respect to action prefix, internal choice, and 
parallel composition. The case of the action prefix is trivial. As regards the internal choice, it suffices 
to observe that (tj © 6) | p is complete if and only if both tj | p and 6 | p are complete. Namely, © 
corresponds to a set-theoretic intersection between session types that complete tj and 6. As regards 
the parallel composition, the precongruence follows from the very definition of subsession, since tj | 
tj' ^< 6 | tj' if (tj I tj') I p complete implies (6 | tj') | p complete, namely if tj | (tj' | p) complete implies 
6 | (tj' I p) complete, that is if tj ^ 6. Because all the non- viable session types are ss-equal, however, 
H is not a precongruence with respect to the external choice. For example, we have X llnt.O but 
llnt.l + 7^ llnt.l + llnt.O « 0. This is a major drawback of the subsession relation as it is defined, 
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since it prevents -< from being used in arbitrary contexts for replacing equals with equals (note that m is 
not a congruence for the same reasons). We resort to a standard technique for defining the largest relation 
included in ■< that is a precongruence with respect to the external choice. We call this relation strong 
sub session: 

Definition 2.4 (strong subsession). Let C be the largest relation included in ■< that is a precongruence 
with respect to +, namely 77 C 6 if and only if rj + p H 6 + p for every p. We write ~ for the equivalence 
relation induced by C, namely ~ = C D 

We end this section with a few results about ■< and C. First of all, we can use C for reasoning about 
viability and completeness of a session type: 

Proposition 2.1. The following properties hold: 

1. r\ is not viable if and only ifTjQ 0; 

2. r\ is complete if and only if\ + r\ C 77. 

Then, we prove that ■< and C are almost the same relation, in the sense that they coincide as soon as 
the smaller session type is viable. This means that for all practical purposes the use of C in place of ■< is 
immaterial, if not for the gained precongruence, since in no case we will be keen on replacing a channel 
with a viable type with one that is not viable. 

Theorem 2.1. r\ < 6 if and only if either 77 C or r\ C 8. 

Remark 2.2. It is interesting to compare C with the subtyping relation for session types in ifTTl . From 
a technical point of view, the two relations arise in completely different ways: C arises semantically as 
a relation between session types that preserves completeness; the subtyping relation in [11] is defined 
(co)inductively and by cases on the syntax of session types being related. The essence of this latter 
relation is strictly connected with the direction of the exchanged messages: when S <T holds, S sends 
more things and receives fewer, regardless of whether such things are labels or actual data. In contrast 
the relation C is fundamentally determined by reduction of nondeterminism, which is captured by the 
law rj © 6 C rj . Note that this law does not say anything about messages being sent or received. For 
example, we have llnt.l© lBool.1 C llnt.l but also ?Int.l © ?Bool.l C ?Int.l. We can identify 
two other significant differences: the first one is that in our theory of session types, the successfully 
terminated session type 1 can be composed with actions. For example, 1 + ?Int.l describes a process 
that is waiting for an integer, but is also perfectly happy to terminate the session at this time without 
any further communication. As another example, 1 © llnt.l describes the behavior of a process that 
internally decides whether to terminate the session without any further communication, or to do so only 
after having sent an integer. Incidentally, observe that the two examples complete each other. In iTTTTl 
(and in most session type theories) the terminal behavior cannot be composed with others. The type 
system we will describe later does not use this capability either, but this is just to keep it simple and 
with a reasonable number of rules. The second and last difference we want to emphasize is that the 
law rj C 77 + 6, which is somehow dual of 77 © 6 C 77, does not hold, while it is sound in IfTTl . Two 
main reasons justify this fact: the first is that in our theory + is an algebraic operator that can combine 
arbitrary session types, and for this reason the external choice sometimes is an internal choice in disguise: 
for example, it is possible to prove that ?Int.T7 + ?lnt.0 ~ ?Int.(77 © 6). This cannot happen in iTTTTl 
because of the very syntax of session types, which prevents arbitrary compositions of behaviors. The 
second reason is that the synchronous communication model we are relying upon does not tolerate the 
introduction of interferences. For example, we have ?Int.l % ?Int.l + ?Bool.l because the session type 
llnt.l + lBool.0 completes the first session type but not the second one: the ?Bool.O branch introduces 
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Table 3: Syntax of processes. 



P ::= 


process 


% ::= 


action 


o 




1 i/9 ( y • A 


^VtllLlC lllUUL^ 


K.P 


(action prefix) 


ule 


(value output) 


*P 


(replication) 


ul(x) 


(channel input) 


P + P 


(external choice) 


u\v 


(delegation) 


P®P 


(internal choice) 






P\P 


(parallel composition) 






(VC)P 


(restriction) 







an interference that may enable harmful synchronizations. For this and other reasons the adoption of a 
synchronous communication model is questionable in practice. However, one can show that by suitably 
restricting behaviors (for instance, by forbidding outputs in external choices such as in the example 
above) some instances of the law r\ C r\ + 6 become sound again. Furthermore, it is possible to simulate 
partial forms of asynchrony by means of the session type language we have presented (the idea is not 
explored in detail here, but the interested reader may find some hints in (U). In summary, the C relation 
is both an extension and a conservative restriction of the subtyping relation in ifTTTl . ■ 

3 Processes 

Processes are defined by the grammar in Table [3] We use P, Q, R, .. . to range over processes; we use %, 
... to range over action prefixes; we use a, b, c, . .. to range over channel names; we let x, y, z, ■ ■ ■ range 
over variables and u, v, . . . range over channel names and variables (v should not be confused with v that 
we used to range over elements of Y); we let e, . . .range over an unspecified language of expressions. 
The process language is a minor variation of the % -calculus, so we remark here only the differences: we 
have four action prefixes: ul(x : t) denotes a receive action for a basic value x of type t on channel u; 
ule denotes a send action for the value of the expression e on channel u; ul(x) denotes a receive action 
for a channel x on channel u; u\v denotes a send action for a channel v on channel u. Consistently with 
the language of session types, actions denoting send/receive operations of channels are "untyped". The 
process *P denotes unbounded replications of process P, and P + Q and P(BQ respectively denote the 
external and internal choice between P and Q. We will usually omit the process; we will write f n(P) 
for the set of free channel names occurring in P (the only binder for channel names is restriction); we 
will write P{ m / X } for the process P where all free occurrences of the variable x have been replaced by m. 

The transition relation of processes is defined by an almost standard relation in Table |U so we will 
not provide detailed comments here. In the table, we write e j v for the fact that expression e evaluates to 
v. Labels of the transition relation are ranged over by £, . . . and are generated by the following grammar: 

I ::= T | dm \ c\m \ c\{d) 

where m, . . . ranges over messages, namely basic values and channel names. Action z denotes an internal 
computation or a synchronization. Actions of the form elm and elm are often called free inputs and free 
outputs respectively. Actions of the form c\(d) are called bound outputs and represent the extrusion of 
a private channel, d in this case. We use these actions to model session initiations, whereby a private 
channel is exchanged and subsequently used for the actual interaction. Notions of free and bound names 
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Table 4: Transitions of processes. 





PS 




^p 


*pJU*P\P cl(x).P ^P\d/r\ 


c \d.p p 




V 


: ? 




T , 

„ 1 p . P' 

e I v — ► f 


f 

P , D' -J- T 


c?(jc: 


O.p 


c?v 


>P{Vx} 


de.P^P P + Q^P' + Q 


P + 2 -^P' 


P fl^P' 


e 




Q' P 1 


n P > Q^Q> d?fn(Q) P 


— >P' bn(f)nfn(<2) =0 


P\Q- 




Q' 




P\Q^( V d)(P'\Q') 


PIG^P'IG 








P P' J f n(£) U tm(£) P ^> P' 










( 


vd)P -L (yd)? {vd)P - 





in labels are standard, with fn(c?rf) = fn(cW) = {c,J}, fn(c?v) = fn(c!v) = fn(c!(rf)) = {c}, and 
bn(c!(rf)) = {J}, the other sets being empty. 

We remark only two distinctive features of the transition relation: (1) the replicated process *P 
evolves by means of an internal transition to *P | P; technically this makes *P a divergent process, but 
the fact that we work with a fair semantics makes this only a detail; (2) similarly to the transition relation 
for session types, the transition relation for processes selects branches of external choices according to 
the type of the basic value being communicated. This is evident in the transitions for c1(x : t).P, which 
are labeled by values of type t. 

The typing rules for the process language are inductively defined in Table[5] Judgments have the form 
r h P : A, where T is a standard environment mapping variables to basic types and A is an environment 
mapping channel names and channel variables to session types. We write dom(A) for the domain of A. 
Rule (T-WEAK) allows one to enrich A with assumptions of the form u : 1, indicating that a process 
does not use the channel u. The premise u dom(A) implies u $ f n(P) since it is always the case that 
f n(P) C dom(A). Rule (T-SUB) is an almost standard subsumption rule regarding the type of a channel u. 
The peculiarity is that it works "the other way round" by allowing a session type 8 to become a smaller 
session type r\ . The intuition is that P behaves according to 8 on the channel u. Thus, it is safe to declare 
that the session type associated with u is even less deterministic than 8. This rule is fundamental in the 
type system since many other rules impose equality constraints on session types that can only be satisfied 
by finding a lower bound to two or more session types. It should also be appreciated the importance of 
using C, which is a precongruence, since this allows us to apply rule (T-SUB) in arbitrary contexts. 
Rule (T-RES) types restrictions, by requiring the session type associated with the restricted channel to 
be of the form 1 + r\. In light of rule (T-SUB) and of Proposition 12.1 1 2). this requirement imposes that 
the session type of a restricted channel c must be complete. Namely, there must not be communication 
errors on c. Rule (T-NIL) types the idle process with the empty session environment. The process 
should not be confused with the failed session type 0: the former is the successfully terminated process 
that does not use any channel; the latter denotes a communication error or a deadlock. Rule (T- INPUT) 
types an input action for basic values of type t. The assumption x : t is moved into the environment T 
and if the session type associated with u in the continuation P is r\ , then the overall behavior of P on u is 
described by It. r\. Rule (T-OUTPUT) is similar, but regards output actions of basic values. We assume an 
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Table 5: Typing rules for processes. 



(t-weak) (t-sub) 


(T-RES) 




r h P : A dom(A) r h P : A U {u 


:0} T7C0 rhP:AU{c: 




rh?:AU{n:l} rhP:AU{w:T7} Fh(vc)P 


: A 


(t-nil) (t-input) 


(T- INPUTS) 




r,i:(hP: AU{w: 


r}} rhP:{x:p} 




ThO:0 Vhu?(x:t).P:AU{u 


:??.T7} Fhul(x).P :{u:lp.l} 




(t-output) 


(t-outputS) 




Fhe:t FhP : AU{w : 77} 


ThP: AU{m: tj,v: 0} 




F\-u\e.P: AU{«: !f.T]} 


rhwIv.P: Au{w: lp.r\,v: d\p} 




(T-EXT) 


(T-INT) 




r h 7T,-.P ; - : A U {u : 7],} '' e/ sub j {id 


) = u r H P : A r h Q : A 


rh£^.P i :AU{«:£T )i } 


r h P© <2 : A 




re/ ie/ 






(T-BANG) 


(T-PAR) 




rhP:{« /:I)i ie/ } TjiE^hO^ 


rhP:{ Mi :T7,' e/ } rh2:{ Mi -: 


Bi ieI } 


r h *P : { Bi : 7]; ieI } 


rhP|e:{ M; :T 7i |0,- , ' e/ } 





unspecified set of deduction rules for judgments of the form r h e : t, denoting that the expression e has 
type t in the environment T. Rule (t-inputS) types an input action for a channel x. The continuation 
P must be typed in a session environment of the form {x : p}, requiring that P must not refer to (free) 
channels other than the received one. Consequently, the whole process behaves according to the session 
type ?p.l. The severe restriction on the continuation process is necessary for type preservation, as we 
will see in Example [33] below. Rule (T-OUTPUTS) types delegations, whereby a channel v is sent over 
another channel u. This rule expresses clearly the idea of projection we are pursuing in our approach: the 
delegated channel v is used in the continuation P according to the session type 6 (which may be 1 in case 
rule (T-WEAK) is applied); at the same time, the channel v is delegated to another process which will 
behave on it according to p. As a consequence, the overall behavior on v is expressed by the composition 
of 6 and p, namely by 6 \ p. If u is used in the continuation P according to 17, then its type is !p.rj in 
the conclusion. Rule (T-EXT) types external choices. These are well typed only when each branch of the 
choice is guarded by an action whose subject is u (we write sub j (71) for the subject of action %). For 

this reason the rule is only applicable to processes of the form lt\.P\-\ h 7l n .P n , which we abbreviate 

as Lie{l,...,n} Ki-Ph an d the resulting behavior on u is the sum 771 H h r] n of the individual behaviors 

on u of each branch, which we abbreviate as £ ( - e/ rj;. Rule (T-INT) types internal choices, but only when 
the two branches do have the same session environment. This can be achieved by repeated applications 
of rules (T-WEAK) and (T-SUB). Rule (T-PAR) types the parallel composition of processes. Again this 
rule shows the idea of projection and, unlike other session type systems, allows (actually requires) both 
processes to use exactly the same channels, whose corresponding session types are composed with |. In 
this context rule (T-WEAK) can be used to enforce that the session environments for P and Q are exactly 
the same, recalling that 1 is neutral for |. Finally, rule (T-BANG) types replicated processes: the basic 
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idea is that a replicated process *P is well typed if any channel it uses is "unlimited" (in the terminology 
of HT|), which in our case translates to the property that it must be smaller than two copies of itself. 1 is 
the simplest session type with this property, but there are others as we will see in Example |3. II 

Remark 3.1. Thanks to our setting, we have the opportunity to make some interesting connections 
between the subtyping relations used in type theories for programming languages and the behavioral 
preorders that arise in many testing theories for process algebras. According to Definition 12.21 if rj <d, 
then it is safe to replace a process behaving according to rj with another process behaving according 
to 6. This is because, by definition of ^, every context that completes rj will also complete 6. Note in 
particular that the safe substitution regards the larger object. This contrasts with the subtyping relations 
where it is safe to replace an object of type T with another object of type S if S is a subtype of T. In 
fact, this is exactly the notion of safe substitutability we are using in rule (T-SUB). This mismatch can 
be source of confusion: recall that in our view a session type is not the type of channel, but rather is 
the allowed behavior of a process on a channel. Thus, if a channel has type llnt.l, that means that 
the process using it behaves according to llnt.l. Now, it is safe to replace that channel with another 
one with type llnt.l © IBool.l: since we are replacing the channel, and not the process, the process 
will still behave according to llnt.l, but this time on a channel that allows more behaviors. Since 
llnt.l © IBool.l C llnt.l, we are assured that the substitution is safe. ■ 

Example 3.1 (persistent service provider). Consider the process 



which accepts an unbounded number of connection requests on the channel server and processes them 
in the process P. Assume we can type the non-replicated process as follows: 



To apply rule (T-BANG) for Q we need server to have a type rj such that 7] C T\ \ r], and ?p.l clearly 
does not have this property. Consider the session type rj that is solution of the equation X = 1 © lp.X. We 
have r\ C ?p.l and furthermore 77 C 77 | rj. Hence we can now type Q with an application of rule (T-SUB) 



Example 3.2 (multi-party session). Intuitively, a multi-party session is a conversation taking place on a 
restricted channel that is shared between three or more participants. Consider a system (va)(P \ P | Q) 
where 



the idea being that the two instances of P represent two servers checking whether a number is prime. 
The process Q establishes a connection by sending the two servers a fresh channel c and sending on this 
channel some integer number n. The two servers are thus able to process the number in parallel and the 
first one that succeeds sends the result back to Q. Upon reception of the result from one of the servers, Q 
notifies the other server by sending a dummy value abort, which we assume is a singleton type inhabited 
only by abort itself. 

It is easy to verify that, within P, the channel x has type rj = ?Int. (IBool.l + ?abort.l) and a is 
used according to the type ?tj .1. In Q, a is used according to the type It] .1 1 It] .1 and c is used according 
to the type rj | llnt.l | rj | llnt.l | ?Bool.!abort.l. Hence, the overall type of a is !t].1 | !tj.1| ?T].l | ?T].l 
and the whole system is well typed since both a's type and c's type are complete. ■ 



Q = *serverl{x).P 



FhP:{x:p} 



r h serverl{x).P : {server : ?p.l} 



followed by (T-BANG). 




al{x).xl{y : Int). (x\isprime{y) +xl{z, : abort)) 
(vc)(a\c.c\n I a\c.c\n \ cl{x : Bool).c!abort) 
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The type system permits to find type derivations for processes using channels with a non-viable 
session type. Examples of such processes are c?(x : (D).O. A non-viable session type indicates an intrinsic 
flaw in the process. For this reason viability is really the one notion that characterizes well-typedness of 
processes. We say that a session environment A is viable if so is every session type in its codomain. 

Theorem 3.1 (subject reduction). Let Y h P : A and P — v —> Q and A viable. Then T h Q : A. 

Example 3.3. If compared with more standard session type theories, the notion of viability looks as an 
additional complication of our more general setting. Actually, the rules in Table [5] project the behavior 
of a process with respect to the channels it uses and impose a few local constraints. Then, the viability 
hypothesis in Theorem 13.11 ensures that the process is really well behaved. Without this hypothesis, 
subject reduction does not hold. Consider for example the process P | Q where 

P = (vc)(a!c) Q = al{x).x\3 

On one hand, P sends a fresh channel c to Q, but does not use it anymore. On the other hand, Q 
pretends to send an integer on the channel it receives from P. According to the rules in Table [5] we have 
hP | Q : {a : !(l).l | ?(!lnt.l).l}. In particular, the session type associated with a is not viable, because 
1 ■< llnt.l does not hold. Indeed, we have the reduction 

P\Q^ (vc)(0|c!3) 

where the residual process is ill typed, since c is associated with the session type 1 1 llnt.l which is not 
complete, hence it does not satisfy the premise of rule (T-RES). ■ 

Before addressing type safety, we justify by means of examples the two main constraints imposed by 
the type system in order to guarantee type preservation. 

Example 3.4. To justify rule (T-EXT), consider the process 

P = al{x:Int).bl{y : Bool) + Z??(;t : Int).a?(y : Bool) 

and suppose it well typed, where a : ?Int.l + ?Bool and b : ?Bool.l + ?Int.l. Apparently, both a and 
b are able to receive either an integer or a Boolean value and a system such as (va)(vb)(P \a\3\ b\3) 
would be well typed. Alas, the external choices in the types of a and b do not take into account the fact 
that any synchronization of P with another process may actually disable one branch in these choices. 
The reduction 

(va)(vb)(P | a!3 | b\3) {va){vb){bl{y : Bool) | | b\3) 
leads to an ill-typed process, since b has type ?Bool.l | llnt.l which is not complete. ■ 

Example 3.5. The severe constraint in the premise of rule (t-inputS) can be justified by looking at the 
following processes: 

P = a\c.a\c.cl{x : Int).c?(> : Bool) 
Q = a?(x).a?(y).y\tzvLe.xl3 
where P can be typed with a derivation like the following: 



T h c7(x : Int).c?(y : Bool) : {a : l,c : ?Int.?Bool.l} 
F\-a\c.cl(x : lnt).c?0 : Bool) : {a : !(!Bool.l).l,c : lBool.1 1 ?Int.?Bool.l} 
Fh a\c.a\c.cl(x : Int).c?(j : Bool) : {a : !(!lnt.l).!(!Bool.l).l,c : llnt.l | lBool.1 1 ?Int.?Bool.l} 
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The process P delegates the channel c twice on a. The first time, the delegated behavior is llnt.l, 
while the second time the delegated behavior is lBool.1. Each time c is delegated, P assumes that 
the receiving process will implement the delegated behavior. However, as it can be clearly seen in the 
conclusion of the typing derivation above, the overall delegated behavior of c is llnt.l | lBool.1, namely 
the parallel composition of the two behaviors that were separately delegated. This is fundamental for 
the completeness of c's type, since the input operations performed by the residual of P at the top of the 
typing derivation occur in a specific order. 

The process Q, which receives both delegations, is unaware that x and y will be instantiated with the 
same channel. So, Q is well typed and x and y have respectively type lBool.1 and llnt.l, as requested 
by P, but Q uses these channels in a specific order that is not captured by the projections. The process 
P | Q deadlocks in two steps: 

P I Q T > T > c7(x : Int).c?(y : Bool) | c!true.c!3 

where in the final state we have c : ?Int.?Bool.l | iBool. llnt.l which is not complete. By requiring, in 
the premise of rule (t-inputS), that the receiving process cannot use any channel other than the received 
one, we are basically imposing that the receiving process must handle every received channel in a thread 
of its own. ■ 

In judgments of the form T h P : A the environment A is an approximation of P insofar as it describes 
the projections of P's behavior with respect to the channels it uses and delegates. It is well known 
that this approximation is unable to capture situations where well-typed processes deadlock because the 
interdependence between communications occurring on different channels are lost. Our approach is no 
exception, as shown by the following example. 
Example 3.6 (deadlock). Consider the system 

(va)(vb)(a\3.b?(x : Bool) | bltrue.a?(x : Int)) 

where the channels a and b have respectively type rj = llnt.l | ?Int.l and 6 = ?Bool.l | lBool.1. In 
both cases we have 1 + tj □ 77 and 1 + hence the system is well typed but deadlock. ■ 

The safety property we are able to state guarantees that, if all the processes sharing some channel 
c are immediately ready to communicate on c, then they will eventually synchronize. Since in our 
transition relation for processes synchronization is triggered not just by the channels on which messages 
are exchanged, but also by the type of the exchanged messages, the eventual synchronization translates 
to the fact that there is no communication error: it is never the case that there is a process willing to send 
a message of some type, and no other process is ever willing to receive messages of that particular type. 
The notion of "readiness" we mentioned is captured by the following definition: 

Definition 3.1 (readiness). We say that P is ready on c if P { c is derivable by the rules: 

c£fn(P) Pic Qic Pic Qic Pic c + d 

%.P i SUb](7r) ; ; 

Pic P + Qic P\Qic (vd)Pic 

Intuitively, P is ready on c if either it does not use c, in which case it plays no role in any synchro- 
nization on c, or if P is prefixed by an action whose subject is c, or if every branch of P is ready on c. 
Observe that when P = P\ +P2, both branches are required to be ready on c. This is not overly restrictive 
because, by rule (T-EXT), if either branch is prefixed by an action whose subject is c, so must be the 
other branch. 

Theorem 3.2. IfT h P : AU {c : 17} and r\ complete and Pic, then either c f n(P) or P — T -+. 
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4 Concluding remarks 

It may sound obvious to state that session types are behavioral types. Yet, although session types are 
normally associated with channels, channels do not expose any behavior. The solution of this apparently 
innocuous paradox lays in the equally obvious observation that the session type associated with a channel 
reflects the behavior of a process concerning the input/output operations that the process performs on that 
channel. By taking this mirrored point of view we have been able to define a simple and, in our opinion, 
elegant theory of session types that generalizes, unifies, and semantically justifies many concepts that 
can be found scattered in the current literature: (multi-party) session types are terms of a suitably defined 
process algebra closely based on value-passing CCS; completeness expresses the property that a session 
is well-formed and never yields a communication error; duality ifTTIl 77 xi 6 is the special case where 
T] I 6 is complete; viability captures the concept of well-typed process, namely of process that can be 
composed with others in order to implement complete sessions; the subtyping relation between session 
types arises semantically by relating those session types that preserve completeness in arbitrary contexts. 

The adoption of a fair testing semantics |[T8l for session types is original to the best of our knowledge. 
In fact, most presentations of session types rely on notions of duality or well-formed composition where 
the only concern is the absence of communication errors, while the fairness principle we adopt imposes 
an additional constraint: that at any time a conversation is always able to reach a so-called successful 
state. Whether or not this is desirable in practice, from a technical point of view there are both pros 
and cons: on the one hand, the fair subsession relation is more difficult to characterize coinductively 
and axiomatically because fairness escapes the mere structure of types; on the other hand, the subsession 
relation is an all-in-one tool that incorporates safe substitutability (rule (T-SUB)), viability, and complete- 
ness (Proposition 12- lb - We have been unable to fully characterize completeness in terms of a non-fair 
subsession relation (see J4j for an attempt in the context of behavioral contracts). 

The type system we have provided as a proof-of-concept in Section [3] may look excessively restric- 
tive, in particular with respect to the rule (T- INPUTS) which demands that the continuation cannot use 
any (known) session if not the received one. We have three observations regarding this point: (1) this 
is a direct consequence of our focus on the idea of projected behavior, which allows a more liberal use 
of channels; (2) similar restrictions can be found in type systems guaranteeing global progress (9j[I][3]|; 
(3) the provided type system is very natural and simple, considering the freedom it leaves in the use of 
channels; this simplicity suggests that it can be smoothly extended with features such as polarities or 
roles which would likely help relaxing the constraints. We leave this extension as future work. 
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